Notice for international visitors
This site is operated by a Spanish company. Spanish data protection law (LOPDGDD, Organic Law 3/2018), the EU General Data Protection Regulation (GDPR) and Spanish Information Society Services Law (LSSI-CE) apply. Non-EU residents should review the international transfers section below carefully, since data may be processed within the European Economic Area and, in limited cases, in third countries.
Data controller
- Company name: Papik Real Estate Group, S.L.U.
- Trade name: PAPIK Group
- Spanish Tax ID (NIF): B-63965834
- Address: Carrer de la Sort, 34, local 4, 08172 Sant Cugat del Vallès (Barcelona), Spain
- Contact email: info@papik.cat
- Phone: +34 935 906 074
Purposes of processing
PAPIK Group processes users' personal data to respond to requests for information, quotes or contact received through the website forms or by email; to manage the contractual and pre-contractual relationship with clients who request construction, development, retrofit or other PAPIK Group services; to send commercial communications and newsletters about its services, always with prior express consent; to comply with the legal, tax and accounting obligations applicable to the business; and to carry out aggregated statistical analysis of the website for service improvement, without identifying the individual user.
Legal basis
The legal basis for processing depends on the specific purpose. Handling requests is based on pre-contractual measures taken at the data subject's request or on their consent (articles 6.1.b and 6.1.a GDPR). The contractual relationship is based on the performance of a contract (article 6.1.b GDPR). Commercial communications are based on the data subject's express consent (article 6.1.a GDPR), revocable at any time. Compliance with legal obligations is based on article 6.1.c GDPR. Aggregated statistics are based on the controller's legitimate interest (article 6.1.f GDPR), after balancing it against the data subject's rights.
Retention period
Personal data is kept only for as long as is strictly necessary for the purpose for which it was collected. Information requests not converted into a contractual relationship are kept for the reasonable time needed to handle the request and, afterwards, up to 12 months unless the user expressly consents to a longer period. Contractual relationships are kept for the duration of the relationship and, afterwards, for the periods legally required to comply with tax obligations (minimum 4 years), accounting obligations (6 years) and the ten-year guarantee applicable to construction works (10 years) under Spanish law. Data linked to commercial communications is kept until the user withdraws consent, and aggregated statistics until service termination or an objection request.
Recipients
PAPIK Group does not transfer personal data to third parties, except for communications necessary to fulfil the stated purpose or required by law. To deliver the service, PAPIK Group relies on technology providers that act as data processors, with whom it has signed the corresponding agreements pursuant to article 28 GDPR:
- SW Hosting & Communications Technologies, S.L. (web hosting, with servers in the European Union).
- The Rocket Science Group, LLC (Mailchimp), for the management of newsletters and commercial communications.
- Google Ireland Limited, for website statistical analysis (Google Analytics), anti-spam protection (reCAPTCHA) and embedded maps (Google Maps).
Data is also disclosed to public authorities where required by law, to financial institutions in the case of mortgage management requiring their intermediation (always with the data subject's express consent), and to external legal, tax and accounting advisors bound by professional confidentiality.
International transfers
Some processors used by PAPIK Group may be located outside the European Economic Area (EEA), in particular providers of analytics, advertising or email tooling whose servers or parent companies are based in the United States or other third countries.
When this happens, PAPIK Group ensures that one of the transfer mechanisms recognised under articles 44 to 49 GDPR is in place:
- An adequacy decision from the European Commission for the recipient country, where one exists.
- The EU-US Data Privacy Framework (DPF), where the recipient is a US organisation that has self-certified under the Framework.
- Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented where appropriate with additional technical and organisational safeguards in light of the Court of Justice's Schrems II ruling (case C-311/18).
- Binding Corporate Rules or specific derogations under article 49 GDPR, where applicable.
In practice, the providers that may process data in the United States are Mailchimp and Google, under the EU-US Data Privacy Framework or the Standard Contractual Clauses. Users have the right to know which third countries their personal data may be transferred to and which safeguards apply. To request this information, or to obtain a copy of the SCCs in force with a specific provider, please contact info@papik.cat.
Rights of data subjects
The user can exercise at any time the rights granted by data protection law:
- Right of access to their personal data.
- Right to rectification of inaccurate or incomplete data.
- Right to erasure ("right to be forgotten").
- Right to object to processing.
- Right to restriction of processing.
- Right to data portability.
- Right not to be subject to automated individual decisions.
- Right to withdraw consent at any time, without retroactive effect.
To exercise these rights, the user can send an email to info@papik.cat indicating the right they wish to exercise, together with a copy of an ID document or equivalent proof of identity.
PAPIK Group will respond to the request within one month of receipt. This period may be extended by two further months if the request is complex or if there is a high volume of requests.
Complaints to the Spanish Data Protection Agency
Users have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD) if they consider that the processing of their personal data does not comply with applicable law.
The AEPD's contact details are available at www.aepd.es.
Users resident in another EU member state can also lodge a complaint with the supervisory authority of their habitual residence or place of work.
Security measures
PAPIK Group has implemented the technical and organisational measures necessary to ensure the security of personal data and prevent its alteration, loss, unauthorised processing or access, in accordance with article 32 GDPR.
Cookies
The use of cookies on the website is governed by our Cookie policy.
Modifications
PAPIK Group reserves the right to modify this privacy policy to adapt it to legislative or operational changes. The version in force is always the one published on the website with the last update date indicated at the top of the document.